[SRU][B/X][CVE-2018-10322][PATCH v2 0/4] XFS xfs_dinode_verify() DOS

William Breathitt Gray william.gray at canonical.com
Wed Sep 2 19:41:34 UTC 2020 

SRU Justification
=================

[Impact]

The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the
Linux kernel through 4.16.3 allows local users to cause a denial of
service (xfs_ilock_attr_map_shared invalid pointer dereference) via a
crafted xfs image.

[Test Case]

The upstream bugzilla page provides a test case to check if a kernel is
affected by this issue:
<https://bugzilla.kernel.org/show_bug.cgi?id=199377>

- Overview
Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting
and operating a crafted xfs image

- Reproduce
# mkdir mnt
# mount -t xfs 120.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- Reason
static int
xfs_xattr_get(const struct xattr_handler *handler, struct dentry *unused,
		struct inode *inode, const char *name, void *value, size_t size)
{
	int xflags = handler->flags;
	struct xfs_inode *ip = XFS_I(inode);
	int error, asize = size;

	/* Convert Linux syscall to XFS internal ATTR flags */
	if (!size) {
		xflags |= ATTR_KERNOVAL;
		value = NULL;
	}

	error = xfs_attr_get(ip, (unsigned char *)name, value, &asize, xflags);
	if (error)
		return error;
	return asize;
}

ip is invalid (0x8) returned from XFS_I.

[Regression Potential]

Regression potential is low; the changes necessary to backport consist of simple
context adjustments from the upstream patches.

[Miscellaneous]

Backports of commit 420fbeb4 and commit 3c6f46ea for Xenial are provided in
order to simplify the context adjustments of the subsequent patches.

Amir Goldstein (1):
  xfs: sanity check directory inode di_size

Darrick J. Wong (2):
  libxfs: synchronize dinode_verify with userspace
  xfs: move inode fork verifiers to xfs_dinode_verify

Eric Sandeen (1):
  xfs: enhance dinode verifier

 fs/xfs/libxfs/xfs_dir2.c       |   3 +-
 fs/xfs/libxfs/xfs_inode_buf.c  | 101 +++++++++++++++++++++++++++++++--
 fs/xfs/libxfs/xfs_inode_fork.c |  67 ----------------------
 3 files changed, 97 insertions(+), 74 deletions(-)

-- 
2.25.1

More information about the kernel-team mailing list